#!/usr/bin/env ansible-playbook
---
- hosts:
    - isp-1.rtr.infra.auro.re
    - isp-2.rtr.infra.auro.re
  vars:
    nftables__vars:
      adm_ipv6: 2a09:6840:128::/56
      adm_ipv4: 10.128.0.0/16
      backbone_ipv6: 2a09:6840:203::/56
      backbone_ipv4: 10.203.0.0/16
      mgmt_ipv6: 2a09:6840:211::/56
      mgmt_ipv4: 10.211.0.0/16
      clients_ipv6: 2a09:6841::/48
      clients_ipv4: 100.64.0.0/10
    nftables__tables:
      blacklist:
        type: inet
        sets:
          blacklist_ipv6:
            type: ipv6_addr
            flags:
              - interval
          blacklist_ipv4:
            type: ipv4_addr
            flags:
              - interval
        chains:
          filter:
            type: filter
            hook: prerouting
            priority: "raw - 10"
            policy: accept
            rules:
              - "ip6 saddr @blacklist_ipv6 counter drop"
              - "ip saddr @blacklist_ipv4 counter drop"
      reverse_path_filter:
        type: inet
        chains:
          filter:
            type: filter
            hook: prerouting
            priority: raw
            policy: accept
            rules:
              - "fib saddr . iif oif missing pkttype unicast drop"
      filter:
        type: inet
        sets:
          allowed_clients_ipv6:
            type: ipv6_addr
            flags:
              - interval
          allowed_clients_ipv4:
            type: ipv4_addr
            flags:
              - interval
        chains:
          conntrack:
            rules:
              - "ct state { established, related } accept"
              - "ct state invalid counter drop"
          input_backbone:
            rules:
              - "ip6 nexthdr { ospf, vrrp, icmpv6 } accept"
              - "ip protocol { ospf, vrrp, icmp } accept"
              - "tcp dport 179 accept"
          input_mgmt:
            rules:
              - "ip6 nexthdr icmpv6 accept"
              - "ip protocol icmp accept"
              - "tcp dport 22 accept"
          input_other:
            rules:
              - "ip6 nexthdr icmpv6 accept"
              - "ip protocol icmp accept"
          input:
            type: filter
            hook: input
            priority: filter
            policy: drop
            rules:
              - "jump conntrack"
              - "iif lo accept"
              # FIXME: don't use ifaces
              - "ip6 saddr fe80::/10 iifname ens19 goto input_backbone"
              - "ip6 saddr vmap { \
                   $backbone_ipv6: goto input_backbone, \
                   $mgmt_ipv6: goto input_mgmt, \
                   $adm_ipv6: goto input_mgmt \
                 }"
              - "ip saddr vmap { \
                   $backbone_ipv4: goto input_backbone, \
                   $mgmt_ipv4: goto input_mgmt, \
                   $adm_ipv4: goto input_mgmt \
                 }"
              - "goto input_other"
          forward_clients:
            rules:
              - "ip6 daddr $clients_ipv6 drop"
              - "ip daddr $clients_ipv4 drop"
              - "ip6 saddr @allowed_clients_ipv6 accept"
              - "ip saddr @allowed_clients_ipv4 accept"
          forward:
            type: filter
            hook: forward
            priority: filter
            policy: drop
            rules:
              - "jump conntrack"
              - "ip6 saddr $clients_ipv6 goto forward_clients"
              - "ip saddr $clients_ipv4 goto forward_clients"
          output:
            type: filter
            hook: output
            priority: filter
            policy: accept
            rules:
              - "jump conntrack"
  roles:
    - nftables

- hosts:
    - infra-1.rtr.infra.auro.re
    - infra-2.rtr.infra.auro.re
  vars:
    nftables__vars:
      adm_ipv6: 2a09:6840:128::/56
      adm_ipv4: 10.128.0.0/16
      backbone_ipv6: 2a09:6840:203::/56
      backbone_ipv4: 10.203.0.0/16
      mgmt_ipv6: 2a09:6840:211::/56
      mgmt_ipv4: 10.211.0.0/16
      int_ipv6: 2a09:6840:206::/56
      int_ipv4: 10.206.0.0/16
      local_ipv4:
        - 100.64.0.0/10
        - 10.0.0.0/8
        - 45.66.108.0/22
    nftables__tables:
      blacklist:
        type: inet
        sets:
          blacklist_ipv6:
            type: ipv6_addr
            flags:
              - interval
          blacklist_ipv4:
            type: ipv4_addr
            flags:
              - interval
        chains:
          filter:
            type: filter
            hook: prerouting
            priority: "raw - 10"
            policy: accept
            rules:
              - "ip6 saddr @blacklist_ipv6 counter drop"
              - "ip saddr @blacklist_ipv4 counter drop"
      reverse_path_filter:
        type: inet
        chains:
          filter:
            type: filter
            hook: prerouting
            priority: raw
            policy: accept
            rules:
              - "fib saddr . iif oif missing pkttype unicast drop"
      filter:
        type: inet
        chains:
          conntrack:
            rules:
              - "ct state { established, related } accept"
              - "ct state invalid counter drop"
          input_backbone:
            rules:
              - "ip6 nexthdr { ospf, vrrp, icmpv6 } accept"
              - "ip protocol { ospf, vrrp, icmp } accept"
              - "tcp dport 179 accept"
          input_mgmt:
            rules:
              - "ip6 nexthdr icmpv6 accept"
              - "ip protocol icmp accept"
              - "tcp dport 22 accept"
          input_other:
            rules:
              - "ip6 nexthdr icmpv6 accept"
              - "ip protocol icmp accept"
          input:
            type: filter
            hook: input
            priority: filter
            policy: drop
            rules:
              - "jump conntrack"
              - "iif lo accept"
              # FIXME: don't use ifaces
              - "ip6 saddr fe80::/10 iifname ens19 goto input_backbone"
              - "ip6 saddr vmap { \
                   $backbone_ipv6: goto input_backbone, \
                   $mgmt_ipv6: goto input_mgmt, \
                   $adm_ipv6: goto input_mgmt \
                 }"
              - "ip saddr vmap { \
                   $backbone_ipv4: goto input_backbone, \
                   $mgmt_ipv4: goto input_mgmt, \
                   $adm_ipv4: goto input_mgmt \
                 }"
              - "goto input_other"
          forward:
            type: filter
            hook: forward
            priority: filter
            policy: drop
            rules:
              - "jump conntrack"
              - "ip6 saddr $int_ipv6 accept" # FIXME
              - "ip saddr $int_ipv4 accept" # FIXME
          output:
            type: filter
            hook: output
            priority: filter
            policy: accept
            rules:
              - "jump conntrack"
      nat:
        type: ip
        chains:
          postrouting:
            type: nat
            hook: postrouting
            priority: srcnat
            policy: accept
            rules:
              - "ip daddr != $local_ipv4 snat to 10.128.10.4"
  roles:
    - nftables
...